Dive Brief:
- A group of 18 organizations connected to the oil and gas industry agreed to take collective action on cyber resilience in an effort announced during the World Economic Forum in Davos, Switzerland Wednesday.
- The organizations include some of the world’s largest energy providers and industrial cybersecurity firms, including Aker BP, Aramco, Dragos, Occidental Petroleum and Suncor, among others.
- The organizations plan to work together on global approaches to boosting cyber resilience, adopting six, consensus-based principles and sharing lessons learned, according to Alexander Klimburg, head of the Center for Cybersecurity, World Economic Forum.
Dive Insight:
The announcement follows the high-profile cyberattacks on Colonial Pipeline in May 2021 and the attacks on the Amsterdam-Rotterdam-Antwerp oil hub facilities in February.
The oil and gas industry has become a major focus of criminal ransomware and nation-state threat actors looking to extort millions in ransomware payments as well as disrupt critical energy supplies. Russia’s invasion of Ukraine has only ramped up those concerns amid fears a retaliatory cyberattack would target key energy supplies in connection to sanctions related to the war.
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said during a press conference at the World Economic Forum that the Colonial Pipeline attack was a “real wake-up call” for the cybersecurity industry about the need to strengthen collective defenses.
“At the end of the day, we know that global infrastructure is all connected,” Easterly said. “We can’t just say we’re going to protect the American homeland or we’re going to protect a place in Europe. We know that we have to partner together to enable us to understand the threat so we can drive down risks to our networks globally.”
Robert Lee, CEO of Dragos, said organizations have been working together to create a playbook for companies to better understand the importance of cyber resilience. It includes high-level guidance for corporate boards to help them understand what the important questions related to a cyberattack are, as well as specific case studies to demonstrate what can happen as a result of an attack.
One example Lee referenced was a cyberattack on an oil and gas facility where the adversary targeted safety systems. A malware error caused the plant to shut down, but the initial intent behind the attack was to hurt or kill people.
“So when we talk about cybersecurity, it’s not just data and identity and credit cards,” Lee said. “Those are important, but we’re also talking about human life.”
